Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/06/2024, 19:53
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20240221-en
General
-
Target
1.exe
-
Size
45KB
-
MD5
4d820f671919b3029173d8659aa59600
-
SHA1
af68a0b9e9c58dcbdd2ede205c30537bca39650c
-
SHA256
c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0
-
SHA512
5db8f64f97765447bbebe42044984ae73cc1b418c5d2616cd3d4cf0bcf03014c1883d37d4dcaffa35cf5d0453301495f8d01f6e01ff4c516be019147f0f33d6e
-
SSDEEP
768:1dhO/poiiUcjlJInVZZbH9Xqk5nWEZ5SbTDacuI7CPW5r:Lw+jjgndbH9XqcnW85SbT5uIj
Malware Config
Extracted
xenorat
performance-ha.gl.at.ply.gg
Putty
-
delay
5000
-
install_path
appdata
-
port
33365
-
startup_name
Windows Updater
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2572 1.exe -
Loads dropped DLL 1 IoCs
pid Process 1948 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2612 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 63 IoCs
pid Process 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe 2572 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2572 1.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1948 wrote to memory of 2572 1948 1.exe 28 PID 1948 wrote to memory of 2572 1948 1.exe 28 PID 1948 wrote to memory of 2572 1948 1.exe 28 PID 1948 wrote to memory of 2572 1948 1.exe 28 PID 2572 wrote to memory of 2612 2572 1.exe 29 PID 2572 wrote to memory of 2612 2572 1.exe 29 PID 2572 wrote to memory of 2612 2572 1.exe 29 PID 2572 wrote to memory of 2612 2572 1.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Roaming\XenoManager\1.exe"C:\Users\Admin\AppData\Roaming\XenoManager\1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2655.tmp" /F3⤵
- Creates scheduled task(s)
PID:2612
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a0449a13ac1dfc501ac54ec20546041e
SHA1dd10c4d3abb7c4e6ff5abdaa077ad7a114d73bcf
SHA256744a0d8f4918500ee4cb6ec0f6ca5002a7d5809081e00572815a4a96c198b2bb
SHA51283ac2d9b1bcbb3eb201abdfa66d190a07bb11a658eee2b9c9cfe93fb1bd634c6d49d6c97d1deccfe52a9a2f1e3ac61f71432d7e2fc118787059eaa7f8cfcda5f
-
Filesize
45KB
MD54d820f671919b3029173d8659aa59600
SHA1af68a0b9e9c58dcbdd2ede205c30537bca39650c
SHA256c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0
SHA5125db8f64f97765447bbebe42044984ae73cc1b418c5d2616cd3d4cf0bcf03014c1883d37d4dcaffa35cf5d0453301495f8d01f6e01ff4c516be019147f0f33d6e